I'm probably boring you to death by now with my slightly revolutionary preachings, but the best way to hone in
a message is by repeating it incessantly, with only small variations in the general tone. After all, that is
what politicians do all the time.

Seriously, I've been giving the whole security thingie a lot of thought lately. Not so much as follow the
well-known, well-oiled mantras, more like taking a very good look at the security arena and filtering out the
crud. And there seems to be quite a lot of it. Today, I'd like to take another step forward and make your
security model even more efficient and foolproof than before. Don't panic, read the whole thing before you
judge.

Introduction

I've given you a taste of what security ought not to be in my Poor Windows
users article. You may also have read my articles on safe Web practices and mail security, which explain
the basics of healthy computer usage without going overboard. Then, you also have overviews of Windows 7
security, part one and two,
and SuRun, a sudo-like tool for Windows XP.

In all of these articles, I've emphasized the importance of abstract security. In other words, if you have a
good security strategy, it's flexible and system-agnostic. You can apply pretty much the same model on
different operating systems with just minimal adaptations. Furthermore, you avoid the use of tactical
ingredients, in this case, very specific, very narrow-targeted tools aimed at protecting against isolated
vectors of attacks. For example, all kinds of anti-X programs in Windows fall into this category. And while
they offer some prevention, containment and cleaning capabilities, they are usually inefficient, because they
follow the blacklist approach and rely heavily on user actions.

My goal is to provide you with a universal, whitelist-leaning security that does not depend on signatures, user
skill or recipe-like investments. That will never work as long as Murphy's law or one of the lemmas hold.

Safe Web and Mail security articles are a very
good start. SuRun also gives you a taste of what running a hassle-free limited account
in Windows can be, compared to Linux. Now, comes the third part in this long series of education, and this is
all about customer satisfaction.

Status Quo

Today, security is a 0% guarantee business - in the home environment. How so, you're asking? Well, it's very
simple. Pretty much every single EULA for security software, as well as any other software for that matter,
includes a very fat disclaimer that informs you that using the software is at your own risk, peril and
responsibility. In other words, companies have no accountability for damages caused by the use and misuse of
their products.

Security-wise, this means that if the security program works as advertised, fine. If it does not, it's your
fault. It's a best effort model, there's no guarantee and liability is entirely yours. Imagine the car industry
sold their vehicles based on the best-effort approach. You buy a car and the brochure informs you that using
the brakes may not work as expected. Nevertheless, the company will not be held responsible for any
malfunction, failure or whatever of the said component.

In the software world, things are a little different. First, there's no life & death threat so much as in
brakes not working. Second, the potential for misuse is enormous. It is difficult to force security companies
to take responsibility for everything the users do, because it is impossible to predict every stupidity
conceivable - or prevent it.

As I've wisely pointed out in my Computer licensing article, this could
work if both users and companies were held responsible for their actions. On one hand, users would be forced to
pass a computer usage exam and be held legally accountable for their wrongdoings. On the other, companies would
be held accountable for bugs and flaws in their software. Today, pretty much neither side is. Bottom line, you
use security software, there's no guarantee it will work, and it's your fault. Don't like it, don't use it.
More to follow.

Financial agenda

Many security products are sold - or rather, leased. You pay for an annual license, which grants you the
software resources. The thing is, it is the prime imperative of every company to maximize revenue. Maximizing
profit is done in many ways. A good way of achieving it is by expanding the user base. You do this by
advertising, offering downgraded versions of premium products for free, bundling software products, and
finally, by increasing awareness to your services.

What is the best way to sell security? It's by insecurity. The more insecure your customer is, the more likely
he/she is to buy more security. It's a very simple equation. Security companies know this - and use this, all the time. Therefore, it comes as no surprise that security companies are
often harbingers of digital doom. Whenever you read an advisory about a huge increase in malware, it's always
the head of this or that security company that utters the dreaded message.

Fear mongering works well. It keeps people in check, docile and obedient and willing to spend money to relieve
the horrible feeling of helplessness. Then, there's the matter of education. Whenever you read about horrible
plagues of binary code roaming wild down the lines of the Internet, it usually comes down to this:

Users can get infected just by visiting a page!

Or something silly like this:

Millions of computers at stake, new worm outbreak ...

The combination of medical and disaster terms are meant to trigger the basic survival instincts. This seems to
work quite well. However, there is never, ever any mention of the simple ways of preventing malware infections
or how to avoid these dreadful new vectors of attack. For instance, you will rarely see an advisory of the
following kind:

There's a new worm wriggling about. Not to worry, just turn your firewall on.

Simple right? Remember the Conficker panic? There was a month of headlines with not a single mention that just
by turning even the most basic Windows firewall was more than enough to stop network-related infections. Uh,
another worm. Boring.

But it's easier selling USD49.99 software than telling users to spend 14 seconds educating themselves about the
functionality of the Control Panel in Windows. Stupid users are good for business. If you're uneducated and
ignorant, you're more likely to believe the headlines, more easily coerced into buying false security with
money. This has worked superbly with TV news, it continues with the Internet.

So how can you improve your security?

Here we go. There are several ways. Some are simple and trivial, other take more time and dedication. Others
yet are radical, pure genius. Let me elaborate.

#1: Education

This is your best option. It has the highest return on investment in the long run. You may need to read a
little, but you will gain immensely. Education means being able to rationalize situations and evaluate threats.
Education means taking a step back, breathing deeply, reading between the lines, quenching your impulses,
saving your money, and performing your own research and analysis of the problem at hand, maybe even devising a
solution. Education is understanding how Windows works and why things are not as grim as they seem to be. Learn
how to respond to all kinds of warnings and messages.

Spending time learning about computers is not an easy task, though. Many people treat computers as an
appliance. They do not want to spend time hacking the internals. This is quite understandable and acceptable.
Which is why there's point #2.

#2: Let your voice be heard

You are not just a line on someone's end-of-the-year marketing report. You are a customer and your voice
deserves to be heard. But phoning a third-party support line in a foreign country in non-prime time hours is
probably not the best way of achieving the desired effect. Your best option is NOT to use any security software
that does not have a spotless ethical record. It is very difficult finding companies like those, but there are
a few paladins in Sodom.

Ideally, security should be free. This way, you know there's no hidden goal and that the entire focus is on
delivering a security service to the users. But this is not always possible, because people writing code need
to feed their families, too.

You should strive to avoid software companies that bundle their products with third-party nonsense. You
should boycott companies that ignore their users. Abandon products with mediocre track, including performance,
bug fixing, customer satisfaction, and the actual ability to do as advertised. Do not be a hostage. Always
remember that they need you more than you need them. And there's always, always an alternative, even if you're
not really sure what it is at the moment.

#3: Stop using "security" software

You do not really need it. Products XYZ are so 90s. Obsolete in concept. You need a strategy and not tactics.
Anti-virus and anti-phishing toolbar and anti-whatever are just temporary tactics. Tomorrow, the winds of the
Internet wars will change and these tools will become useless relics.

Let me give you the fishing analogy. There's a proverb saying: Give a man a fish and you feed him for a day.
Teach a man to fish and you feed him for a lifetime. I say, take this one step further. Be the one who designs
the fishing rod and the tackle.

Your Windows, it has what you need, built-in. You have a firewall, check. You have a limited user, check. You
have Group Policies, check. Then, there's DEP, monthly updates, and a handful of
other mechanisms, just waiting for you to start using them.

On top of these, you can beef your sense of security with totally free programs, which, while not specifically
security related, can help minimize exposure and lessen the impact of unhealthy computing habits. For instance,
SuRun or Firefox.

How about data integrity and backups? People invest so much money trying to prevent malware infections, which
are merely a probability. On the other hand, people rarely invest in making sure
their data is safely backed up from hardware failures, which are a certainty.

Think carefully about this. How many people have had malware at some point in their life? 10%? 30%? How many
people have had a hardware failure at some point in their life? 100%. Amazing, isn't it? You're much better of
spending money on backup solutions, home NAS, imaging software, extra hard disks, and whatnot, then spending
time trying to stave off the Armageddon. Oh, there's always Linux, but that's revolution hardcore.

How is any of this going to help?

You will probably not see any difference in the short run. But you will make an impact, eventually. Any
security company experiencing a massive emigration of users will automatically do several things: woo their
customers, lower the price, offer killer deals, and maybe even work on improving their product. It has happened
before.

Which brings me to my Linux success article. You want Linux to be strong. You
want free software to flourish, because it leads to better and cheaper payware software. This is true for any
aspect of computing, from operating systems via browsers to security.

At the moment, security companies enjoy pretty much a free hand in Windows. They do as they please, cashing in
on the malware rampage and the ignorance of the vast majority of users. But you can make a change. Vote with
your money, it's the best tool you have.

Conclusion

Some of you will be angered by this article. Some will even claim that I'm irresponsible in suggesting Windows
users drop their precious security programs and let the "vile" hackers take hold of their machines.

But how come the entire security concept of the Internet comes down to the little user? How about security
prevention on the server level; malware has to sit somewhere, right? How come users get malware in their mails?
Someone owns the mail servers, after all. How about free education by ISPs? How about redesigning the trust
models?

The truth is not binary. It's not either you use security or you get hacked. My statistics show that most
people suffering from malware infections did and do have security software installed, often out of date,
without updates and similar, but it's there nonetheless, not used to its potential, however efficient it may
be. Not running the classic anti-X software does not mean disaster. It could. But it does not have to.

There's the middle ground, one where companies can make money, in good faith, while users enjoy handsome
security without spending too much, without wallowing in fear and despair. There's the middle ground where
people have the happy choice of making smart, educated decisions. It's about sharing the pie so that everyone
gets a piece. That way, everyone's a winner. As a user, you have the power to make the change. Think about it.